Re: Multiple Server Certificates
On Mon, Jun 11, 2001 at 09:45:13AM +0100, Hooper, Paul, (FNMF) wrote: > I have an Apache server running multiple Name Based Virtual Hosts, all > running SSL with both server and client authentication. I have not been > able to set up different server certificates for individual virtual hosts, > and I have been told that this is not possible. > Is this really the case and, if so, can anyone recommend a solution to meet > this requirement. > Read the FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts You must have a seperate ip/port for each vhost. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple Server Certificates
Owen, Thank you very much. I hadn't dared hope for such a clear and succinct answer. Much appreciated. Paul -Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: 11 June 2001 10:34 To: [EMAIL PROTECTED] Subject: Re: Multiple Server Certificates "Hooper, Paul, (FNMF)" wrote: > > I have an Apache server running multiple Name Based Virtual Hosts, all > running SSL with both server and client authentication. I have not been > able to set up different server certificates for individual virtual hosts, > and I have been told that this is not possible. > Is this really the case and, if so, can anyone recommend a solution to meet > this requirement. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Q: Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts? A: Name-Based Virtual Hosting is a very popular method of identifying different virtual = hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server. It comes as rather a shock to learn that it is impossible. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts. Therefore all the server receives is an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds that matches the port and IP address. You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then you can have no more than 1 SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g. NameVirtualHost 192.168.1.1:80 Other workaround solutions are: Use separate IP addresses for different SSL hosts. Use different port numbers for different SSL hosts. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple Server Certificates
"Hooper, Paul, (FNMF)" wrote: > > I have an Apache server running multiple Name Based Virtual Hosts, all > running SSL with both server and client authentication. I have not been > able to set up different server certificates for individual virtual hosts, > and I have been told that this is not possible. > Is this really the case and, if so, can anyone recommend a solution to meet > this requirement. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Q: Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts? A: Name-Based Virtual Hosting is a very popular method of identifying different virtual = hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server. It comes as rather a shock to learn that it is impossible. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts. Therefore all the server receives is an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds that matches the port and IP address. You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then you can have no more than 1 SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g. NameVirtualHost 192.168.1.1:80 Other workaround solutions are: Use separate IP addresses for different SSL hosts. Use different port numbers for different SSL hosts. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]